Economists are projecting that Cyber Monday 2016 will be the largest online shopping day in history. Last year, consumers spent a record $3.07 billion dollars on e-commerce’s biggest day and sales this year are projected to be even higher.
E-commerce companies are not just bracing for record-breaking traffic; they are also preparing for an increase in attempts to hack their systems. CNBC recently described the time from Black Friday through Cyber Monday as the “hacking Super Bowl.” Cyber criminals are not just stealing payment information; they’re also looking for sensitive personal data that can be valuable on the black market.
The Payment Card Industry Data Security Standard (PCI DSS) provides industry-wide compliance standards for all merchants, including e-commerce companies. In this blog post, we examine two key areas of e-commerce operations that are vital PCI DSS checkpoints for ensuring that your customers’ data is secure and your site doesn’t become an easy target for hackers.
As data is exchanged over the Internet, hackers seek out security gaps in communication channels. The primary line of defense is ensuring that any page requiring the entry of sensitive information like name, address, date-of-birth and payment information is compliant with TLS (Transport Layer Security) protocols. Like its predecessor SSL (Secure Sockets Layer), TLS establishes a secure, encrypted link between a company’s server and a user’s device. All information is sent in an encrypted transmission rather than plain text, ensuring that, if intercepted, the information is unreadable to unauthorized parties.
The Payment Card Industry Security Standards Council announced last year that all merchants are required to implement a migration plan to TLS 1.1 to ensure that all data transmission meets the latest encryption standards. The deadline for migration is June 2018. Remember, it is the merchant’s responsibility to implement a TLS certificate!
When seeking out a data center provider, it is key to make sure your partner offers a PCI compliant environment. The PCI DSS standard has more than 100 rigorous and rigid requirements that providers must meet. Here’s a snapshot the 12 requirements that regulate how merchants and data center providers store payment information:
Install and maintain firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks*
Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.
Restrict access to cardholder data on business need to know basis.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.
The QTS Internal Audit team focuses on defining controls and processes to meet the most up-to-date compliance standards. Learn more about how QTS can help you achieve your compliance goals with our PCI-DSS Compliance Data Sheet and contact us today to discuss your compliance needs.